CVE-2026-34164
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService
描述
### Summary The `InboxHandlingService` logs the full content of every incoming inbox message at INFO level (`logger.info("Received message: {}", message)`). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details. ### Impact This data is exposed to: - Anyone with access to application logs (stdout/log files) - Any Valtimo user with the admin role, through the logging module in the Admin UI ### Affected Code `com.ritense.inbox.InboxHandlingService#handle` in the `inbox` module. ### Resolution Fixed in [13.22.0](https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0) via commit [`f16a1940ba`](https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335) (PR [#497](https://github.com/valtimo-platform/valtimo/pull/497), tracking issue [gzac-issues#653](https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653)). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output. ### Mitigation For versions before 13.22.0, consider: - Restricting access to application logs - Adjusting the log level for `com.ritense.inbox` to WARN or higher in your application configuration
如何修補 CVE-2026-34164
要修補 CVE-2026-34164,請將受影響套件升級到下列已修補版本。
- —升級至 13.22.0.RELEASE 或更新版本
CVE-2026-34164 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 13.0.0.RELEASE, < 13.22.0.RELEASE